AWS CloudHSM Client SDK 3 verify HSM performance with the pkpspeed tool
This topic describes how to verify AWS CloudHSM hardware security module (HSM) performance with Client SDK 3.
To verify the performance of the HSMs in your AWS CloudHSM cluster, you can use the pkpspeed (Linux) or pkpspeed_blocking (Windows) tool that is included with Client SDK 3. The pkpspeed tool executes under ideal conditions and directly calls the HSM to execute operations without going through an SDK such as PKCS11. We recommend load testing your application independently to determine your scaling needs. We do not recommend running the following tests: Random (I), ModExp (R), and EC point mul (Y).
For more information about installing the client on a Linux EC2 instance, see Install and configure the AWS CloudHSM client for CMU (Linux). For more information about installing the client on a Windows instance, see Install and configure the AWS CloudHSM client for CMU (Windows).
After you install and configure the AWS CloudHSM client, run the following command to start it.
If you have already installed the client software, you might need to download and install the latest
version to get pkpspeed. You can find the pkpspeed tool at /opt/cloudhsm/bin/pkpspeed
in Linux or C:\Program Files\Amazon\CloudHSM\ in Windows.
To use pkpspeed, run the pkpspeed command or pkpspeed_blocking.exe, specifying the user name and password of a crypto user (CU) on the HSM. Then set the options to use while considering the following recommendations.
Test recommendations
-
To test the performance of RSA sign and verify operations, choose the
RSA_CRTcipher in Linux or option B in Windows. Don't chooseRSA(option A in Windows). The ciphers are equivalent, butRSA_CRTis optimized for performance. -
Start with a small number of threads. For testing AES performance, one thread is typically enough to show maximum performance. For testing RSA performance(
RSA_CRT), three or four threads is typically enough.
Configurable options for the pkpspeed tool
FIPS Mode: AWS CloudHSM is always in FIPS mode (See AWS CloudHSM FAQs
for details). This can be verified by using the CLI tools as documented in the AWS CloudHSM User Guide and running the Get hardware information for each HSM in an AWS CloudHSM cluster with CMU command which will indicate the FIPS mode status. Test type (blocking versus non-blocking): This specifies how operations are performed in a threaded manner. You will most likely get better numbers using non-blocking. This is because they utilize threads and concurrency.
Number of threads: Number of threads to run the test with.
Time in seconds to run the test (max = 600): pkpspeed produces results measured in "OPERATIONS/second" and reports this value for each second that the test is run. For example, if the test is run for 5 seconds the output may look like the following sample values:
OPERATIONS/second 821/1OPERATIONS/second 833/1OPERATIONS/second 845/1OPERATIONS/second 835/1OPERATIONS/second 837/1
Tests that can be ran with the pkpspeed tool
AES GCM: Tests AES GCM mode encryption.
Basic 3DES CBC: Tests 3DES CBC mode encryption. See note 1 below for an upcoming change.
Basic AES: Tests AES CBC/ECB encryption.
Digest: Tests hash digest.
ECDSA Sign: Tests ECDSA sign.
ECDSA Verify: Tests ECDSA verify.
FIPS Random: Tests generation of a FIPS-compliant random number (Note: this can only be used in blocking mode).
HMAC: Tests HMAC.
Random: This test is not relevant because we are using FIPS 140-2 HSM’s.
RSA non-CRT versus RSA_CRT: Tests RSA sign and verify operations.
RSA OAEP Enc: Tests RSA OAEP encryption.
RSA OAEP Dec: Tests RSA OAEP decryption.
RSA private dec non-CRT: Tests RSA Private key encryption (non-optimized).
RSA private key dec CRT: Tests RSA Private key encryption (optimized).
RSA PSS Sign: Tests RSA PSS sign.
RSA PSS Verify: Tests RSA PSS verify.
RSA public key enc: Tests RSA Public key encryption.
RSA public key encryption, RSA private decryption non-CRT, and RSA private key decryption CRT will also prompt the user to answer the following:
Do you want to use static key [y/n]
If y is entered, a pre-computed key is imported into the HSM.
If n is entered, a new key is generated.
[1] In accordance with NIST guidance, this is disallowed for clusters in FIPS mode after 2023. For clusters in non-FIPS mode, it is still allowed after 2023. See FIPS 140 Compliance: 2024 Mechanism Deprecation for details.
Examples
The following examples show the options that you can choose with pkpspeed (Linux) or pkpspeed_blocking (Windows) to test the HSM's performance for RSA and AES operations.
Example – Using pkpspeed to test RSA performance
You can run this example on Windows, Linux, and compatible operating systems.
Example – Using pkpspeed to test AES performance
